3083. [bug] NOTIFY messages were not being sent when generating

a NSEC3 chain incrementally. [RT #23702]

3083. [bug] NOTIFY messages were not being sent when generating
a NSEC3 chain incrementally. [RT #23702]
5095e72a · Mark Andrews · 653cad79 · 5095e72a · 5095e72a · 5095e72a
Commit 5095e72a authored Mar 21, 2011 by Mark Andrews
6 changed files
--- a/CHANGES
+++ b/CHANGES
+3083.	[bug]		NOTIFY messages were not being sent when generating
+			a NSEC3 chain incrementally. [RT #23702]
+
 3082.	[port]		strtok_r is threads only. [RT #23747]

 3081.	[bug]		Failure of DNAME substitution did not return

--- a/bin/tests/system/dnssec/ns2/named.conf
+++ b/bin/tests/system/dnssec/ns2/named.conf
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named.conf,v 1.34 2010/11/16 01:14:51 marka Exp $ */
+/* $Id: named.conf,v 1.35 2011/03/21 01:02:39 marka Exp $ */

 // NS2

@@ -33,6 +33,7 @@ options {
 	notify yes;
 	dnssec-enable yes;
 	dnssec-validation yes;
+	notify-delay 1;
 };

 zone "." {
@@ -95,4 +96,10 @@ zone "algroll" {
 	file "algroll.db.signed";
 };

+zone "nsec3chain-test" {
+	type master;
+	file "nsec3chain-test.db.signed";
+	allow-update {any;};
+};
+
 include "trusted.conf";
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: sign.sh,v 1.47 2011/03/05 06:35:41 marka Exp $
+# $Id: sign.sh,v 1.48 2011/03/21 01:02:39 marka Exp $

 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -162,3 +162,21 @@ keynew2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
 cat $infile $keynew1.key $keynew2.key >$zonefile

 $SIGNER -P -r $RANDFILE -o $zone -k $keyold1 -k $keynew1 $zonefile $keyold1 $keyold2 $keynew1 $keynew2 > /dev/null
+
+#
+# 
+#
+zone=nsec3chain-test
+zonefile=nsec3chain-test.db.signed
+
+cat > $zonefile << EOF
+@	10	SOA	ns2 hostmaster 0 3600 1200 864000 1200
+@	10	NS	ns2
+@	10	NS	ns3
+ns2	10	A	10.53.0.2
+ns3	10	A	10.53.0.3
+EOF
+awk 'END { for (i = 0; i < 1000; i++)
+	print "host" i, 10, "NS", "ns.elsewhere"; }' < /dev/null >> $zonefile
+k=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone`
+k=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
--- a/bin/tests/system/dnssec/ns3/named.conf
+++ b/bin/tests/system/dnssec/ns3/named.conf
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named.conf,v 1.45 2011/03/05 06:35:41 marka Exp $ */
+/* $Id: named.conf,v 1.46 2011/03/21 01:02:39 marka Exp $ */

 // NS3

@@ -217,4 +217,10 @@ zone "split-smart.example" {
 	file "split-smart.example.db";
 };

+zone "nsec3chain-test" {
+        type slave;
+        file "nsec3chain-test.bk";
+	masters { 10.53.0.2; };
+};
+
 include "trusted.conf";
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: tests.sh,v 1.82 2011/03/05 19:39:06 each Exp $
+# $Id: tests.sh,v 1.83 2011/03/21 01:02:39 marka Exp $

 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -1252,5 +1252,35 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+echo "I:check that NOTIFY is sent at the end of NSEC3 chain generation ($n)"
+ret=0
+(
+echo zone nsec3chain-test
+echo server 10.53.0.2 5300
+grep DNSKEY ns2/Knsec3chain-test.*.key |
+sed -e 's/.*://' -e 's/^/update add /' -e 's/IN/300 IN/'
+echo update add nsec3chain-test. 0 nsec3param 1 0 1 -
+echo send
+) | $NSUPDATE
+for i in 1 2 3 4 5 6 7 8 9 
+do
+	$DIG $DIGOPTS nsec3param nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1
+	if grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null
+	then
+		break;
+	fi
+	echo "I:sleeping ...."
+	sleep 3
+done;
+grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:nsec3 chain generation not complete"; fi
+sleep 3
+$DIG $DIGOPTS +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth +nodnssec soa nsec3chain-test @10.53.0.3 > dig.out.ns3.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: zone.c,v 1.597 2011/03/17 05:21:50 marka Exp $ */
+/* $Id: zone.c,v 1.598 2011/03/21 01:02:39 marka Exp $ */

 /*! \file */

@@ -6285,6 +6285,7 @@ zone_nsec3chain(dns_zone_t *zone) {

 	LOCK_ZONE(zone);
 	zone_needdump(zone, DNS_DUMP_DELAY);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
 	UNLOCK_ZONE(zone);

 done: